Navigation

Most feeds embed HTML markup within feed
elements. Some feeds even embed other types of markup, such as SVG or MathML.
Since many feed aggregators use a web browser (or browser component) to display
content, Universal Feed Parser sanitizes embedded markup to remove
things that could pose security risks.

If the content is declared to be (or is determined to be)
text/plain, it will not be sanitized. This is to avoid data loss.
It is recommended that you check the content type in e.g.
entries[i].summary_detail.type. If it is text/plain then
it has not been sanitized (and you should perform HTML escaping before
rendering the content).

The following CSS properties are allowed by
default in style attributes (all others are stripped):

azimuth

background-color

border-bottom-color

border-collapse

border-color

border-left-color

border-right-color

border-top-color

clear

color

cursor

direction

display

elevation

float

font

font-family

font-size

font-style

font-variant

font-weight

height

letter-spacing

line-height

overflow

pause

pause-after

pause-before

pitch

pitch-range

richness

speak

speak-header

speak-numeral

speak-punctuation

speech-rate

stress

text-align

text-decoration

text-indent

unicode-bidi

vertical-align

voice-family

volume

white-space

width

Note

Not all possible CSS values are allowed for these properties. The
allowable values are restricted by a whitelist and a regular expression that
allows color values and lengths. URIs
are not allowed, to prevent platypus attacks.
See the _HTMLSanitizer class for more details.

And so on, plus several other variations, plus every combination of every
variation.

The more I investigate, the more cases I find where Internet Explorer for
Windows will treat seemingly innocuous markup as code and blithely execute it.
This is why Universal Feed Parser uses a whitelist and not a
blacklist. I am reasonably confident that none of the elements or attributes on
the whitelist are security risks. I am not at all confident about elements or
attributes that I have not explicitly investigated. And I have no confidence at
all in my ability to detect strings within attribute values that Internet
Explorer for Windows will treat as executable code.